On 03/16/2010 07:24 PM, Nilesh Govindarajan wrote:
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper<[email protected]> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin<[email protected]> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan<[email protected]> wrote:
I don't think we need any security team for Arch. New packages are
released within a week of their updates. GPG signing and md5sum
verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package
_after installation_ would be nice. i.e. "pacman --verify
/usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my
/usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs,
please start implementing these package verification things.
sudo make me a sandwich.
--
Ionut
